CVE-2017-1000424: Electron vulnerable to URL spoofing via PDFium
4.3
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.50497%
CWE
Published
5/13/2022
Updated
9/13/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
Electron | npm | >= 1.7.0, < 1.7.6 | 1.7.6 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from two key issues: 1) Insecure URL construction in PDF resource handling that failed to properly escape user-controlled PDF URLs, allowing parameter injection. 2) Dangerous unescaping rules when parsing the PDF src parameter that permitted spoofable characters. The GitHub patch shows the addition of net::EscapeUrlEncodedData
for proper encoding and removal of unsafe unescape rules, directly addressing these vulnerable code paths. The added test case verifying URL escaping confirms these were the attack vectors.